Windows surprise patch KB 4078130: The hard way to disable Spectre 2

Disabling the disruptive 'Spectre 2' bugs in Intel processors has always been quite straightforward, but on Friday night Microsoft released a download-only patch that also does the job. You probably don’t want it.

As we crawl deeper down the Meltdown/Spectre bunny hole, Microsoft released on Friday night a weird, download-only patch that disables the “fix” that’s supposed to protect you against one of the Spectre variants. It’s the same patch, that works the same way, on every version of Windows, from Win7 to the latest Win10 beta builds.

I’m tempted to call it an out-of-band patch, but truth is that all of this month’s patches have been out of band.

You’ve no doubt been inundated by the news about Meltdown and Spectre, the two (actually, three) highly publicized security vulnerabilities in essentially all modern computer chips that, at this point, has never been seen on a real, live, in-the-wild computer.

On Friday night, Microsoft released a strange patch called KB 4078130 that “disables mitigation against Spectre, variant 2.” The KB article goes to great lengths describing how Intel’s the bad guy and its microcode patches don’t work right:

While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described.

It appears that these are the same changes implemented weeks ago by Steve Gibson in his InSpectre program. Steve’s program gives you the option to turn off Spectre protection. The registry keys were originally documented on Jan. 3 — they’re hardly new.

But how, you may ask, does KB 4078130 actually work? It probably doesn’t disable Intel’s BIOS/UEFI firmware (although there was one occasion I can recall, years ago, when a Windows patch did update Intel microcode). More likely, the registry changes implement some sort of bypass within Windows itself to avoid using the dicey Spectre 2 part of the Intel microcode. Only Microsoft knows for sure, and Microsoft ain’t saying.

So, the proverbial bottom line: Should you be concerned?

Short answer, no. In particular, if you’ve followed my recommendations and avoided this entire Meltdown/Spectre upgrading debacle — haven’t installed any of this month’s patches, haven’t installed the latest BIOS/UEFI microcode — there’s nothing in KB 4078130 that’s of interest.